java - How to use expression-based access control in spring? -


i new spring.i have created api user login.the user login method contains following codes:

authentication auth =new usernamepasswordauthenticationtoken(repo.findbyemail(user.getemail()), null, repo.findbyemail(user.getemail()).getauthorities());  securitycontextholder.getcontext().setauthentication(auth); principal principal= securitycontextholder.getcontext().getauthentication(); return (user) auth.getprincipal(); 

the login api gives me following json:

{ "userid": 1, "username": "ramesh khadka", "email": "test@gmail.com", "enabled": true, "role": "manager", "username": "ramesh khadka", "authorities": [     {         "authority": "role_manager"     } ], "accountnonexpired": true, "accountnonlocked": true, "credentialsnonexpired": true } 

i have api users uses @preauthorize("hasauthority('role_manager')") check authorities granted.when call api following message shown:-

{ "error": "unauthorized", "error_description": "full authentication required access resource" } 

i cannot figure out doing wrong.could me on this?

my authorizationserver is:-

@configuration @enableauthorizationserver public class securityserver extends authorizationserverconfigureradapter { @autowired @qualifier("userdetailsservice") private userdetailsservice userdetailsservice;  @autowired private authenticationmanager authenticationmanager;  @override public void configure(authorizationserversecurityconfigurer security) throws exception {     security.checktokenaccess("isauthenticated()"); }  @override public void configure(clientdetailsserviceconfigurer clients) throws exception {     // super.configure(clients);     clients.inmemory()             .withclient("test")             .accesstokenvalidityseconds(3600)             .authorizedgranttypes("authorization_code","refresh_token","password","client_credentials")             .secret("user")             .scopes("read", "write", "trust")             .redirecturis("/error")             .resourceids("resource"); }  @override public void configure(authorizationserverendpointsconfigurer endpoints) throws exception {     endpoints.authenticationmanager(this.authenticationmanager);     endpoints.userdetailsservice(userdetailsservice); } @bean public passwordencoder passwordencoder() {     return new bcryptpasswordencoder(); } @bean public filterregistrationbean corsfilter() {     urlbasedcorsconfigurationsource source = new urlbasedcorsconfigurationsource();     corsconfiguration config = new corsconfiguration();     config.setallowcredentials(true);     config.addallowedorigin("*");     config.addallowedheader("*");     config.addallowedmethod("*");     source.registercorsconfiguration("/**", config);     filterregistrationbean bean = new filterregistrationbean(new corsfilter(source));     bean.setorder(ordered.highest_precedence);     return bean; } 

}

as described in code have use '@preauthorize("hasauthority('role_manager')")'

hasauthority([authority]) --> returns true if current principal has specified authority.

please add '@preauthorize("hasrole('manager')") `

@preauthorize("hasrole('user')") public void create(contact contact); 

either may use role looking , check hasanyrole([role1,role2]) --> returns true if current principal has of supplied roles (given comma-separated list of strings). default if supplied role not start 'role_' added. can customized modifying defaultroleprefix on defaultwebsecurityexpressionhandler.

for more may refer these links: https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html https://dzone.com/refcardz/expression-based-authorization


Comments

Popular posts from this blog

php - Vagrant up error - Uncaught Reflection Exception: Class DOMDocument does not exist -

vue.js - Create hooks for automated testing -

Add new key value to json node in java -